b'              U.S. Department of Energy\n              Office of Inspector General\n              Office of Audit Services\n\n\n\n\nAudit Report\nDevelopment and Implementation of the\nDepartment\'s Enterprise Architecture\n\n\n\n\nDOE/IG-0686                                 April 2005\n\x0c\x0c\x0cREPORT ON DEVELOPMENT AND IMPLEMENTATION OF THE\nDEPARTMENT\'S ENTERPRISE ARCHITECTURE\n\n\nTABLE OF\nCONTENTS\n\n   Enterprise Architecture Development and Implementation\n\n   Details of Finding ...........................................................................................1\n\n   Recommendations...........................................................................................6\n\n   Comments .......................................................................................................7\n\n\n   Appendices\n\n   1. Objective, Scope, and Methodology........................................................10\n\n   2. Prior Reports ............................................................................................12\n\x0c\x0c\x0c         (DOE/IG-0572, November 2002), disclosed that programs\n         were developing separate systems that were not capable of\n         full integration due to the lack of an architecture.\n\n         The Office of the Chief Information Officer (CIO) and EM\n         advised us that the program office architectures are\n         integrated with the overall architecture design. The Office\n         of the CIO indicated that periodic guidance documents, an\n         enterprise architecture working group, and an architecture\n         repository have ensured that program office architectures\n         supported compatibility with the Department-wide effort.\n         Finally, the Office of the CIO stated that it has established\n         desktop standard guidance, such as eXCITE, and associated\n         enterprise agreements to support architecture development\n         and implementation.\n\n         EM further elaborated that it was using the same Enterprise\n         Architecture development tool and models as the\n         Department to ensure integration. Additionally, EM\n         pointed out that it had an up-to-date inventory of systems in\n         the Repository and had conducted reviews to eliminate\n         duplicative systems. We acknowledge that the Office of\n         the CIO, EM and other programs have recently adopted\n         measures to improve integration of their efforts with the\n         Department\'s overall architecture. Furthermore, we\n         recognize that EM has taken positive steps to identify and\n         eliminate duplicative systems.\n\n         Despite these efforts towards improving integration of\n         program-level efforts with the Department\'s development\n         of an overall architecture, we noted that further\n         improvements are needed. For example:\n\n            \xe2\x80\xa2   The periodic guidance referenced by the Office of\n                the CIO has generally not been mandatory, did not\n                contain information regarding standardization of all\n                information technology systems at field sites and\n                contractors, and was not formally released. As a\n                result, the programs are not required to follow the\n                standards contained in the guidance when they\n                develop their future technology requirements.\n\n            \xe2\x80\xa2   While we agree that the enterprise architecture\n                working group is a positive step, program officials\n                we spoke with during the course of the audit\n                questioned the effectiveness of the group. For\n\n\nPage 3                                            Details of Finding\n\x0c                              example, one official responsible for developing a\n                              program-level architecture expressed frustration that\n                              there was little feedback to the programs, very little\n                              two-way communication between the Office of the\n                              CIO and programs, and limited training to support\n                              the architecture efforts.\n\n                          \xe2\x80\xa2   As previously noted, the Repository is still being\n                              populated and much of the information relating to\n                              the Department\'s desired information technology\n                              environment has not been included.\n\n                          \xe2\x80\xa2   Although the Department developed desktop\n                              standards as part of eXCITE, the initiative is limited\n                              to Headquarters and does not include all program\n                              offices.\n\n\nPolicies, Plans and    The Department has not fully developed and implemented\nPerformance Measures   an enterprise architecture because policies were not in place\n                       to guide development at all organizational levels, no formal\n                       program plan existed, and performance goals tied to budget\n                       needs had not been established.\n\n                                                  Policy\n\n                       A policy describing the roles and responsibilities for\n                       developing and implementing an enterprise architecture had\n                       not been developed. According to guidance published by\n                       the Federal Chief Information Officers\' Council (CIO\n                       Council), such a policy should include a description of the\n                       relationship of the architecture to the Department\'s strategic\n                       plans and capital planning process; a commitment to\n                       develop, implement, and maintain an architecture; and, a\n                       description of the enforcement policy. The current\n                       Department order on information technology management\n                       requires the Chief Information Officer (CIO) to facilitate\n                       development and maintenance of an information\n                       technology architecture.\n\n                       Current Departmental policy, however, does not delineate\n                       roles, responsibilities, or authorities of Department\n                       elements to ensure consistent development and\n                       implementation of an architecture. While the Department\n                       has begun drafting an update to this order, the draft does\n\n\n\n\nPage 4                                                           Details of Finding\n\x0c                       not include enforcement policies or describe methods to\n                       integrate program architectures with the Department-wide\n                       effort.\n\n                                              Program Plan\n\n                       The Department also did not have an approved program\n                       management plan for addressing the development and\n                       implementation of an architecture. According to CIO\n                       Council guidance, such a plan should include the scope,\n                       cost, and schedule of the architecture initiative,\n                       incorporating information about how program-level efforts\n                       would complement the overall enterprise architecture, as\n                       well as the roles and responsibilities for completing the\n                       effort. Although the Department had developed a draft\n                       project plan to support the efforts, as required by project\n                       management directives, it excluded the scope of the\n                       development effort, costs, and definitive milestones. An\n                       official in the Office of the CIO recently told us that a\n                       complete project plan did not exist for the ongoing\n                       development of the Department\'s architecture.\n\n                                           Performance Goals\n\n                       Officials also did not consistently emphasize the\n                       development and implementation of an enterprise\n                       architecture in its performance goals and measures.\n                       Although the Department\'s 2003 Annual Performance Plan\n                       included a goal to develop an enterprise architecture, the\n                       goal was not met and it was dropped from the 2004 Annual\n                       Performance Plan because of changing priorities.\n                       Similarly, we found that certain program offices did not\n                       establish performance measures for the development of\n                       their information technology architectures. While the\n                       status of the Department\'s architecture effort was tracked as\n                       part of the President\'s Management Agenda (Agenda)\n                       scorecard, the Department\'s budget request did not contain\n                       goals that linked funding for architecture efforts to\n                       performance, missions, or achievement of the Agenda\'s\n                       goals.\n\n\nCost and Operational   As a result of the problems identified, the Department does\nImpacts                not have an agency-wide architecture despite the\n                       expenditure of $14 million and 10 years of effort. Without\n\n\n\n\nPage 5                                                          Details of Finding\n\x0c                     improvements, the Department may be unable to\n                     implement an effective corporate approach for managing\n                     information technology investments. As demonstrated by a\n                     series of reports issued since 1998, the lack of an\n                     architecture contributes to costly and potentially\n                     incompatible and non-integrated systems. Specifically, the\n                     lack of an enterprise architecture contributed to more than\n                     $155 million in lost savings (see Appendix 2).\n\n                     Additionally, without adequate program planning, the\n                     Department could not ensure that the architecture\n                     development effort was well organized, program-level\n                     efforts were consistent with Department-wide efforts, and\n                     that its costs and schedule were controlled. Further, the\n                     absence of meaningful performance goals and measures\n                     increase the risk that the Department will be unable to\n                     manage its progress towards implementing an enterprise\n                     architecture.\n\n\nRECOMMENDATIONS      To ensure successful completion and implementation of an\n                     enterprise architecture, we recommend that the\n                     Department\'s Chief Information Officer, in coordination\n                     with the Administrator, National Nuclear Security\n                     Administration, and the Program Secretarial Officers:\n\n                     1. Modify existing policy and guidance for the enterprise\n                        architecture to describe the:\n\n                            \xe2\x80\xa2   Relationship of the architecture to the\n                                Department\'s strategic plans and capital\n                                planning process;\n\n                            \xe2\x80\xa2   Commitment to develop, implement, and\n                                maintain an architecture;\n\n                            \xe2\x80\xa2   Enforcement policy to implement the\n                                architecture; and,\n\n                            \xe2\x80\xa2   Roles and responsibilities, down to the program-\n                                level, including the Department\'s contractors.\n\n                     2.   Develop, approve, and implement a program\n                          management plan that includes elements of cost,\n                          scope, and schedule for developing both program-\n                          level and the Department-wide architecture; and,\n\n________________________________________________________________\nPage 6                                          Recommendations\n\x0c                     3.   Incorporate efficiency measures for architecture\n                          development and implementation efforts into the\n                          Department\'s annual performance budget.\n\n\nMANAGEMENT           Management generally concurred with the intent of the\nREACTION             recommendations, but initially disagreed with the focus\n                     of several recommendations. Based on management\'s\n                     comments and a number of discussions with program and\n                     Office of CIO officials, we modified our recommendations\n                     to recognize that the architecture should be viewed as an\n                     ongoing program and that performance measures should be\n                     included in the Department\'s budget to guide its further\n                     development. After reviewing modifications to the report,\n                     officials from the Office of the CIO indicated that\n                     management generally concurred with each\n                     recommendation, but continued to disagree with certain\n                     conclusions.\n\n                     In commenting on our conclusion that the Department had\n                     not defined its information technology requirements needed\n                     to make investment decisions, the CIO stated that\n                     architecture standards are updated and published in each\n                     version of the enterprise architecture. Management also\n                     asserted that investments are reviewed annually for\n                     compliance with the enterprise architecture as part of the\n                     capital planning and investment control process.\n\n                     Additionally, as we noted in the body of this report,\n                     management indicated that it has taken actions necessary to\n                     ensure that program office architectures are integrated with\n                     support, and are compatible with the Department\'s\n                     architecture. Management also cited initiatives that it has\n                     underway to consolidate all aspects of common information\n                     technology services throughout the Department as\n                     examples of integration.\n\n                     EM asserted that a project plan was followed during\n                     development of its program architecture and that its major\n                     investments and systems are aligned to the Agenda, as well\n                     as Departmental and program strategic goals, as part of the\n                     Repository. Finally, EM responded that it uses a capital\n                     planning and investment control process that includes\n                     architectural compliance to manage its investments.\n                     During a subsequent conversation, an EM official\n                     commented that EM\'s enterprise architecture efforts have\n\n________________________________________________________________\nPage 7                                                 Comments\n\x0c                     always been directed towards the development of the\n                     Department\'s enterprise architecture rather than focused on\n                     a stand-alone program architecture.\n\n                     The Office of Fossil Energy recognized that much work\n                     needs to be done toward developing and implementing an\n                     enterprise architecture, but believed that the Department\n                     had taken positive steps to improve its architecture efforts.\n                     Science and NNSA had no comments on the draft report.\n\n\nAUDITOR COMMENTS     Management\'s comments are generally responsive to the\n                     intent of our recommendations.\n\n                     Contrary to the impressions given by management\'s\n                     comments, our audit disclosed that a complete and\n                     approved enterprise architecture does not exist and is not\n                     being implemented across the complex. While we concur\n                     that the Department has developed architecture-related\n                     standards and guidance, these efforts, as discussed in the\n                     body of this report, were not sufficient and did not result in\n                     a complete and usable enterprise architecture.\n\n                     Our finding in this area is bolstered by a September 2004\n                     assessment conducted by the Office of Management and\n                     Budget (OMB). In that assessment, the Department\n                     achieved a score of 2.25 out of 5.0 on its latest architecture\n                     assessment largely because it had not defined its target\n                     architecture or associated transition plan. The lack of a\n                     completed architecture was also cited as a contributing\n                     factor to the Department\'s failure to achieve "green" on the\n                     latest Agenda e-Government scorecard of December 31,\n                     2004. Finally, we note that in March 2005, an Office of\n                     CIO official stated that the Department needed to develop a\n                     detailed enterprise "To Be" architecture and migration plan.\n\n                     Further, although investments are reviewed as part of the\n                     capital planning process, the results of the review are\n                     limited because the process was undertaken utilizing an\n                     architecture that was incomplete and not formally released.\n                     For example, OMB\'s recent assessment disclosed that\n                     the Department\'s enterprise architecture did not\n                     demonstrate the ability to make improved resource\n                     allocation decisions. We also noted that the Department\'s\n                     internal architecture Completion and Use Plan indicates\n\n\n\n________________________________________________________________\nPage 8                                                 Comments\n\x0c                     that the Department will begin to include examples of\n                     improved resource allocation decisions in annual enterprise\n                     architecture submissions to OMB by September 2005.\n\n                     During meetings to discuss management\'s comments, EM\n                     clarified that its project plan was not intended to encompass\n                     the development of a complete program architecture.\n                     Specifically, an official acknowledged that EM\'s project\n                     plan was designed to support development and population\n                     of an architecture repository. As such, EM\'s program-level\n                     architecture did not conform to Departmental and OMB\n                     guidance. For instance, EM\'s documentation did not define\n                     how the target architecture would support the program\'s\n                     mission or a plan for implementing such requirements. We\n                     acknowledge that EM has taken positive steps by\n                     implementing a capital planning process and conducting\n                     e-Government reviews to identify and eliminate duplicative\n                     systems.\n\n\n\n\n________________________________________________________________\nPage 9                                                 Comments\n\x0cAppendix 1\n\nOBJECTIVE             To determine whether the Department had developed and\n                      implemented an enterprise architecture to guide its sizable\n                      information technology investment.\n\n\nSCOPE                 The audit was performed between October 2003 and\n                      March 2005 at Department Headquarters in Washington,\n                      D.C., and Germantown, MD; the National Energy\n                      Technology Laboratory, Morgantown, WV, and Pittsburgh,\n                      PA; the Chicago Office and Argonne National Laboratory,\n                      Argonne, IL; and the Fermi National Accelerator\n                      Laboratory, Batavia, IL. We also obtained information\n                      from the Oak Ridge Reservation, Oak Ridge, TN, and the\n                      Lawrence Livermore National Laboratory, Livermore, CA.\n\n\nMETHODOLOGY           To accomplish our audit objective, we:\n\n                           \xe2\x80\xa2   Reviewed applicable laws and regulations\n                               pertaining to development and implementation of\n                               an enterprise architecture. We also reviewed\n                               reports issued by the Office of Inspector General\n                               and the Government Accountability Office;\n\n                           \xe2\x80\xa2   Reviewed numerous documents related to the\n                               Department\'s enterprise architecture efforts,\n                               including documents supporting past development\n                               efforts;\n\n                           \xe2\x80\xa2   Reviewed guidance issued by OMB and the CIO\n                               Council;\n\n                           \xe2\x80\xa2   Held discussions with program officials and\n                               personnel from Department Headquarters and\n                               field sites reviewed, including representatives\n                               from the Offices of Environmental Management;\n                               Science; Chief Information Officer; and Nuclear\n                               Energy, Science, and Technology; as well as the\n                               NNSA; and,\n\n                           \xe2\x80\xa2   Reviewed the Government Performance and\n                               Results Act of 1993 and determined if\n                               performance measures had been established for\n                               enterprise architecture development.\n\n\n\n\n________________________________________________________________\nPage 10                            Objective, Scope, and Methodology\n\x0cAppendix 1 (continued)\n\n                      The audit was conducted in accordance with generally\n                      accepted Government auditing standards for performance\n                      audits and included tests of internal controls and\n                      compliance with laws and regulations to the extent\n                      necessary to satisfy the audit objective. Accordingly, we\n                      assessed internal controls regarding the development and\n                      implementation of the Department\'s enterprise architecture.\n                      Because our review was limited, it would not necessarily\n                      have disclosed all internal control deficiencies that may\n                      have existed at the time of our audit. We also assessed\n                      performance measures in accordance with the Government\n                      Performance and Results Act of 1993 regarding\n                      development of an enterprise architecture. As noted in the\n                      report, the Department did not consistently emphasize\n                      development and implementation of an architecture in its\n                      performance goals. We did not rely on computer-processed\n                      data to accomplish our audit objective.\n\n                      An exit conference was held with the Office of Science on\n                      March 7, 2005, and the Office of Environmental\n                      Management on March 8, 2005. The Offices of the Chief\n                      Information Officer and Fossil Energy, and the National\n                      Nuclear Security Administration waived exit conferences.\n\n\n\n\n________________________________________________________________\nPage 11                            Objective, Scope, and Methodology\n\x0cAppendix 2______________________________________\n\n                                   PRIOR REPORTS\n\nEnterprise Architecture Reports\n\nThe following audit reports issued by the Office of Inspector General since 1998 have\nhighlighted the impact of the Department\'s failure to implement an enterprise\narchitecture. Together, these reports demonstrate more than $155 million in lost cost\nsavings and operational inefficiencies resulting from the lack of an architecture.\n\n\xe2\x80\xa2   Nuclear Materials Accounting Systems Modernization Initiative (DOE/IG-0556,\n    June 2002). The Department may not realize its anticipated potential annual\n    operating savings of $66 million. The Department had not adequately managed its\n    activities to redesign or modernize its nuclear materials accounting systems.\n    Moreover, planned and ongoing system development efforts were not fully consistent\n    with the Corporate Systems Information Architecture. Organizations were allowed to\n    continue to develop or upgrade accounting and production related systems at a\n    projected cost of over $7.5 million.\n\n\xe2\x80\xa2   Telecommunications Infrastructure (DOE/IG-0537, December 2001). The\n    Department annually spends at least $4 million more than necessary to operate and\n    maintain its telecommunications infrastructure. Duplicative data transmission\n    infrastructures existed across the Departmental complex.\n\n\xe2\x80\xa2   Information Technology Support Services Contracts (DOE/IG-0516, August 2001).\n    Significant savings of as much as $44 million over a three year period are possible if\n    the Department adopts an enterprise-wide approach to acquiring information\n    technology support services. Headquarters and field elements routinely obtained\n    information technology support services without making maximum use of existing\n    Federal contracts designed for this purpose. Further, the Department had not\n    established requirements for Headquarters program offices to consolidate the\n    acquisition of information technology support services and for all Departmental\n    organizations, including contractors, to formally consider the use of existing Federal\n    contracts when acquiring information technology support services.\n\n\xe2\x80\xa2   Virus Protection Strategies and Cyber Security Incident Reporting (DOE/IG-0500,\n    April 2001). The Department could improve consistency, increase overall coverage,\n    and save as much as $3 million by adopting an enterprise-wide approach to virus\n    protection software acquisition. As a result, the Department spent over $3.8 million\n    annually for a computer incident response capability that cannot adequately assess the\n    threat experience of the complex as a whole.\n\n\xe2\x80\xa2   Commercial off-the-Shelf Software Acquisition Framework (DOE/IG-0463,\n    March 2000). Without a framework, the Department had been unable to take\n    advantage of enterprise-wide software contracts that could have resulted in savings of\n    $38 million. Specifically, the Department had not developed and implemented\n    software standards or effectively used enterprise-wide contracts, key components of a\n\n________________________________________________________________\nPage 12                                              Prior Reports\n\x0cAppendix 2 (continued)\n\n    commercial off-the-shelf framework. The Department\'s inability to establish a\n    framework was due to its decentralized information technology strategy and lack of\n    organizational support.\n\nOther Related Reports\n\n\xe2\x80\xa2   Management of the Department\'s Personnel Security and Access Control Information\n    Systems (DOE/IG-0651, June 2004). The Department had spent or plans to spend at\n    least $13 million to develop, implement, or maintain multiple systems that will not\n    fully benefit the complex. The Department had not developed a comprehensive\n    framework for modernizing its personnel security and access control information\n    systems and did not always follow sound system development practices. Absent a\n    coordinated approach, the Department is unlikely to achieve its objective to improve\n    the cost-effectiveness and efficiency of these critical systems.\n\n\xe2\x80\xa2   Management Challenges at the Department of Energy (DOE/IG-0626,\n    November 2003). The Department continued to experience challenges in a number of\n    important areas, including information technology management. Specifically, the\n    Department had not satisfied the requirements of the Clinger-Cohen Act to effectively\n    manage information technology. Program elements were developing separate\n    systems that were not capable of full integration with other business systems, did not\n    link performance and financial data, and did not replace inefficient program and site-\n    level financial management systems.\n\n\xe2\x80\xa2   Special Report on The Department of Energy\'s Implementation of the Clinger-Cohen\n    Act of 1996 (DOE/IG-0507, June 2001). The Department had not satisfied major\n    requirements of the Clinger-Cohen Act to develop and implement an integrated,\n    enterprise-wide information technology architecture and acquire information\n    technology related assets in an effective and efficient manner. Despite many years of\n    effort and significant expenditures, the Department had yet to deploy an integrated,\n    enterprise-wide information technology architecture. Because of its decentralized\n    approach to information technology management, the Department has been unable to\n    constrain duplicative information systems development and effectively deploy\n    corporate-level systems.\n\n\xe2\x80\xa2   Corporate and Stand-Alone Information Systems Development (DOE/IG-0485,\n    September 2000). The Department spent at least $38 million developing duplicative\n    information systems. Despite efforts to implement several corporate-level\n    applications, duplicative and/or redundant computer systems existed or were under\n    development at virtually all organizational levels within the Department. Many\n    organizations continued to invest in custom or site-specific development efforts that\n    duplicated corporate systems.\n\n\n\n\n________________________________________________________________\nPage 13                                              Prior Reports\n\x0cAppendix 2 (continued)\n\n\xe2\x80\xa2   Review of the U.S. Department of Energy\'s Information Management Systems\n    (DOE/IG-0423, August 1998). The Department had not developed and implemented\n    an Information Technology Architecture. Additionally, only one program office had\n    initiated development of its information architecture. The lack of an architecture\n    could adversely affect the successful attainment of a strategic goal for $100 million in\n    cost avoidances. These problems occurred due to a lack of organizational support for\n    an Information Technology Architecture.\n\nGovernment Accountability Office\n\n\xe2\x80\xa2   Information Technology: Leadership Remains Key to Agencies Making Progress on\n    Enterprise Architecture Efforts (GAO-04-40, November 2003). Attempting to\n    modernize and evolve information technology environments without an enterprise\n    architecture often results in operations and systems that are duplicative, not well\n    integrated, unnecessarily costly to maintain and interface, and ineffective in\n    supporting mission goals. The Department had only achieved stage 1 of 5 on the\n    Government Accountability Office\'s Management Maturity Framework (Version 1.1).\n    Specifically, the Department lacked an automated tool and written and approved\n    policies, among other things, for developing and implementing an architecture.\n\n\n\n\n________________________________________________________________\nPage 14                                              Prior Reports\n\x0c                                                             IG Report No. DOE/IG-0686\n\n                       CUSTOMER RESPONSE FORM\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of\nits products. We wish to make our reports as responsive as possible to our customers\'\nrequirements, and, therefore, ask that you consider sharing your thoughts with us. On the\nback of this form, you may suggest improvements to enhance the effectiveness of future\nreports. Please include answers to the following questions if they are applicable to you:\n\n1. What additional background information about the selection, scheduling, scope, or\n   procedures of the inspection would have been helpful to the reader in understanding\n   this report?\n\n2. What additional information related to findings and recommendations could have\n   been included in the report to assist management in implementing corrective actions?\n\n3. What format, stylistic, or organizational changes might have made this report\'s\n   overall message more clear to the reader?\n\n4. What additional actions could the Office of Inspector General have taken on the\n   issues discussed in this report which would have been helpful?\n\n5. Please include your name and telephone number so that we may contact you should\n   we have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\n\nWhen you have completed this form, you may telefax it to the Office of Inspector\nGeneral at (202) 586-0948, or you may mail it to:\n\n                           Office of Inspector General (IG-1)\n                                 Department of Energy\n                                Washington, DC 20585\n\n                              ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact Wilma Slaughter at (202) 586-1924.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly\n                                               and cost\neffective as possible. Therefore, this report will be available electronically through the Internet at\n                                       the following address:\n\n               U.S. Department of Energy Office of Inspector General Home Page\n                                    http://www.ig.doe.gov\n\n  Your comments would be appreciated and can be provided on the Customer Response Form\n\x0c'